SBOMS were meant to strengthen software supply chain security, but the data have not translated into fewer attacks, with the article noting that five years after their introduction supply chain compromises are more frequent than ever. In March 2026 alone, two attacks, Trivy and Axios, reportedly infected tens of thousands of organisations, highlighting the pace of modern exploitation.
Independent researcher Devashri Datta argues the problem lies not with the data itself but with how organisations interpret and act on it, calling for a governance-driven intelligence layer that treats SBOMs as lifecycle signals rather than mere inventories. The piece also points to inconsistent delivery of fresh SBOMs and variable quality of VEX statements, with security decisions still described as inconsistent, reactive, and lacking context.
It concludes that the missing piece is a unified decision model enabling explainable and defensible choices across the software lifecycle, a need underscored by regulators and the accelerating speed of attacker AI. According to SecurityWeek, this governance approach could be the key to turning data into durable security decisions.